Best Practices for Securing TR-069

Published: Mar 1, 2017
Tags: security TR-069 ssl tls

For our article on the alleged TR-069 vulnerability during the Mirai bot scare, go here.

As one of the most largely deployed broadband management protocols in the world, TR-069 has quite a footprint, and a compromised system could potentially affect many broadband subscribers adversely.

Luckily, TR-069 is built to operate on secure transport protocols. While there is nothing inherently insecure to the protocol itself, improper implementation of TR-069 clients and servers may expose problems that can be exploited by malicious attackers, as is the case with any web service. Here’s three best practices you can use to ensure a secure CWMP system:

Use secure HTTP transport over TLS

It is vitally important to note that TR-069 is designed to operate over a secure transport layer. From TR-069 Amendment 5 section 3.3:

The use of TLS to transport the CPE WAN Management Protocol is RECOMMENDED, although the protocol MAY be used directly over a TCP connection instead. If TLS is not used, some aspects of security are sacrificed. Specifically, TLS provides confidentiality and data integrity, and allows certificate-based authentication in lieu of shared secret-based authentication.

Furthermore, to support this recommendation, CPE devices implementing TR-069 are required to support TLS in the event that the ACS URL specifies HTTPS:

If the ACS URL has been specified as an HTTPS URL, the CPE MUST establish secure connections to the ACS, and SHOULD use TLS 1.2 (or, if supported, a later version).

TR-069, just like any web service, can and should be run over a secure connection, and this advice is called out specifically in the protocol. CDRouter’s TR-069 add-on has test cases to check that your device will do certificate based authentication correctly and includes negative test cases to prove that the device will reject bad certificates.

Lock down open ports and do not expose TR-069 configuration details to the user

While TR-069 does not expose user password data via the protocol (password type fields in the data model are write-only), often, devices expose some CWMP configuration functionality locally in the event that things like the ACS URL need to be changed. This can be avoided by ensuring that the ACS URL will be known by the device ahead of time (i.e., if the service provider deployment is known), or to sufficiently lock away TR-069 configuration options from the user’s interface or restrict it to certain users of the device OS, and not through the subscriber’s interface at all.

Obviously, such access to a device can only be gained by a device that is already compromised or left open. Ensuring that your TR-069 enabled devices do not leave any exposed ports or applications can help to mitigate this risk. In this case, CDRouter’s nmap port scan test cases can help uncover where your devices may be vulnerable.

TR-069 does however use a connection request mechanism over an open HTTP port. It’s important to note that no TR-069 messages are ever sent over this port; it is only insecure if not used for its intended purpose. It is also a best practice for devices to white-list those servers that will be using the connection request mechanism so that this interface is not abused.

Ensure parameter data is validated to prevent code injection attacks

In 2016, a distributed denial of service (DDoS) attack dubbed the “Mirai worm” expanded its reach by exploiting a vulnerability in an exposed Broadband Forum TR-064 service (a deprecated service which we’ve written about here). The attack used a shell injection technique in order to instruct the target to download and run malware turning the target into a DoS participant. The event has sparked a lot of questions about TR-069 security.

As an experiment, we tried this same shell injection attack on TR-069 data model parameters to demonstrate that certain TR-069 implementations may be vulnerable to the same attack. It turns out it was. Read our discussion of the problem here.

Use BBF.069 certified devices and get your devices certified

Most importantly, best practices that are specified by a standard are only valuable if devices can prove that they comply with those practices. Fortunately, the Broadband Forum’s BBF.069 CPE Certification Program is in place to allow service providers to vet devices for compliance and for vendors to prove compliance to their customers and interoperability partners. The BBF.069 program includes test cases for nearly every requirement and recommendation in TR-069, including those necessary for securing CWMP systems.

CDRouter is the official test platform for the BBF.069 CPE Certification Program, and the BBF.069 add-on provides all of the test cases and configuration options necessary to perform testing before, during, or after seeking certification at an approved certification lab.